8.8

CVE-2024-24819

icingaweb2-module-incubator base implementation for HTML forms is susceptible to CSRF

icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables attackers to perform changes on behalf of a user which, unknowingly, interacts with a prepared link or website. The version 0.22.0 is available to remedy this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IcingaIcingaweb2-module-incubator Version < 0.22.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.171
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com 5.3 0.5 4.7
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5
Patch
https://github.com/Icinga/icingaweb2-module-incubator/security/advisories/GHSA-p8vv-9pqq-rm8p
Third Party Advisory
https://github.com/search?q=gipfl%5CWeb%5CForm%3B&type=code
Permissions Required